Private businesses would have limited recourse against the new Digital Safety Commission’s broad powers to compel access to encrypted communications.Reuters
Jonathan McHale is the vice-president of digital trade at the Washington-based Computer & Communications Industry Association, where he leads the association’s digital trade advocacy.
The internet can undoubtedly be a dangerous place. From bullying, harassment and hate speech migrating online to child sexual abuse material and disinformation, combatting illegal and dangerous content requires an active partnership between stakeholders and governments.
Some countries, such as Britain, Australia, the members of the European Union and now Canada, have sought to step in and enable government bodies to force removal of this content. But there’s a risk: These new regimes weaken security systems that protect everyone’s data and privacy online. Policy makers need to improve safety without breaking the technology that protects security.
Responsible companies understand the stakes: The safer the internet, the better it is both for consumers and online services that need their trust to flourish. Leading technology companies and organizations have long worked alongside policy makers and civil society to find solutions, including through the Digital Trust & Safety Partnership.
Parliament is currently debating Bill C-63, legislation to enact Canada’s Online Harms Act, introduced earlier this year after years of deliberation.
The current bill appears to emulate the EU, Australian and British proposals to increase government oversight. But like these proposals, experts criticize Canada’s legislation for weakening security in areas such as encryption.
Encryption is the digital equivalent of locking your private information in an unbreakable safe. It’s a process that protects data using mathematical algorithms. End-to-end encryption ensures no one but the sender and receiver can read a message. Encryption safeguards privacy, from online banking to personal messages.
Bill C-63 may undermine privacy-enhancing technologies such as encryption. Private businesses would have limited recourse against the new Digital Safety Commission’s broad powers to compel access to encrypted communications. While searching for potentially harmful material, the commission might order a company to scan all the content it stores, processes or transmits. This could require breaking end-to-end encrypted services or otherwise decrypting these services en masse.
While some argue that is a small price to pay to combat crime, there are broader implications. The Canadian Civil Liberties Association has raised this alarm, stating that Bill C-63 provisions “include sweeping new search powers of electronic data with no warrant request” and calling them “unacceptable intrusions into individuals’ private lives.” Such a framework would give the newly created commission unprecedented power to argue for wider access to encrypted communications, even beyond what most would consider “harmful.”
These mandates, floated elsewhere in similar efforts to curtail online harms, weaken security and privacy for everyone that uses digital services (consumers, businesses and government entities).
Canada and the United States have a responsibility to work together to combat online harms and protect security. Both countries have also been leaders in promoting global use of encryption to improve both business and consumer safety online.
Reflecting a shared commitment to privacy and security, partners in the United States-Mexico-Canada Agreement jointly advanced a groundbreaking trade rule protecting encryption, which guarantees governments would generally not require companies to either hand over keys to break their encryption or to use a specific type of encryption technology.
This allows companies to deploy products using strong encryption – that the companies themselves cannot break – without fear of governments compelling them to weaken that technology, jeopardizing millions of users’ personal information and firms’ confidential information. Bill C-63 risks undoing this success, conflicting with both the letter and spirit of Canada’s trade commitments.
The government’s exclusion of private messaging and promise that encrypted communications will not be threatened is positive, but insufficient. By uniquely protecting that narrow space, the law implicitly undermines another – authorizing intrusive government access to many other services that would lack such immunity, including contact sharing, cloud storage, shared photo albums, file backups and collaboration software, which also require encryption to ensure integrity and confidentiality of messages and content.
Recent events have shown that bad actors will inevitably exploit backdoors set up for “the good guys.” A recent cyberattack linked to China on AT&T and Verizon in the U.S. is one of many examples of bad actors exploiting an unsecure door. Legislators can and should close this door by inserting a clarification that nothing in the legislation should be interpreted as permitting orders that would break end-to-end encryption or require the adoption of any specific encryption technology. This change would ensure compliance with trade agreements, and send a strong message that in democratic countries, privacy, security and safety online can and should co-exist.